Howto configure Qmail Mail server to Listen on port 587 for SMTP with STARTTLS

qMail_configure_tls-secure-listener-587-on-server-logo_large_01
If you followed Qmailrocks or the updated QmailThibs Qmailrocks tutorial you have configured Qmail Mail SMTP server to listen by default for encrypted SSL connections on port 465. However many Mail for POP3 Secure  / Imapd Secure Clients are doing auto configuration and many prefers to have the 587 port configured too to accept Secure SMTP connections with STARTTLS support and not 465 Secure Connections with SSL certificate. 

So the logical queston comes how to configure 587 port to listen for STARTTLS connections? 

In below article I'll show you how you can configure Qmail to also have a listener on TCP port 587.

Perhaps there are numerous ways to configure Qmail Mail to listen on 587 (assuming it is already configured to properly accept mail on SMTP port 25) and a properly configure IMAP Secure and POP Secure in order for Thunderbird and Outlook desktop mail clients to be able to communicate (Send / Receive) mails without obstacles to the custom confiured Mail server.

By the way having Qmail SMTP listener on 587 besides 25 has another reason for many as some Internet Service Providers (ISPs) have purposefully filtered access to unencrypted port 25 for the sake of reducing auto spam sent in their networks.

So here we go.

Howto setup Qmail Mail server to use have listener on Port 587

Here I assume you have already qmail-smtpd running as a service via Dan Bernstein's Daemontools (Supervice), e.g. the qmail-smtpd run script is stored in lets say /var/qmail/supervise/qmail-smtpd and linked properly to run  from /service/qmail-smtpd
 

ls -al /service/qmail-smtpd
lrwxrwxrwx 1 root root 32 сеп 18  2012 /service/qmail-smtpd -> /var/qmail/supervise/qmail-smtpd/

 

cd /var/qmail/supervise/
cp -rf qmail-smptd/ qmail-smptd587/

Once the script template is copied we need to change the default listener port from 25 to 587 for edit the /var/qmail/supervice/qmail-smtpd587/run respawn script
 

vim /var/qmail/supervise/qmail-smtpd587/run

 

 


If you're not familiar with vim use nano / pico / joe / emacs etc. or your favourite text editor if you're running Xserver environment with gnome on the server (hope you didn't) for simplicity you can use even gedit

Here we need to change

 

 

 

 

PORT=25


to 

 

 

 

 

PORT=587

 

Also make sure the script value of

 

 

 

 

FORCE_TLS=0

 


(if configured that way) is set to:

 

 

 

 

FORCE_TLS=1

 


Value of

 

 

 

 

AUTH=0

 


should also be equal to

 

 

 

 

AUTH=1

 

 


Here I assume the run script is standard one from ex-QmailRocks  step by step qmail install (which up2date is the so called QmailRocks Qmail Thibs).

For some older or custom Qmail Installs /var/qmail/supervise/qmail-smtpd587/run might look slightly different e.g. could be something like:

 

 

 

 

exec /usr/local/bin/softlimit -m 50000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 smtp \

 


If you find your /var/qmail/supervise/qmail-smtpd587/run just copied script has a structure like that then you will have instead to change it look like so to enable 587 TLS port listener

 

 

 

 

exec /usr/local/bin/softlimit -m 50000000 \
/usr/local/bin/tcpserver -v -R -l "$LOCAL" -x /etc/tcp.smtp.cdb -c "$MAXSMTPD" \
-u "$QMAILDUID" -g "$NOFILESGID" 0 587 \

 

 

 


Save the file now what is left is to also make the necessery changes for logging to work for /var/qmail/supervise/qmail-smtpd587/log/run


Before we do that we'll copy the log files from /var/log/qmail/qmail-smtpd to /var/log/qmail/qmail-smtpd587
(Note here if your qmail-smtpd log is configured on some other location just change the appropriate paths in below cp command)
 

cp -rpf /var/log/qmail/qmail-smtpd /var/log/qmail/qmail-smtpd587

 

 


Once copied edit the supervise script /var/qmail/supervise/qmail-smtpd587/log/run

Mine looks like so:
 

 

 

 

#!/bin/sh
VQ="/var/qmail"

exec env – PATH="$VQ/bin:/usr/local/bin:/usr/bin:/bin" \
setuidgid qmaill multilog t n1024 s1048576 n20 /var/log/qmail/qmail-smtpd


Add the 587 to the end of qmail-smtpd directory so it looks like so:

 

 

#!/bin/sh
VQ="/var/qmail"

exec env – PATH="$VQ/bin:/usr/local/bin:/usr/bin:/bin" \
setuidgid qmaill multilog t n1024 s1048576 n20 /var/log/qmail/qmail-smtpd587

 

If you're not runing QmailRocks based scripts Qmail but some custom one you might have here also something different for example:
 

exec setuidgid qmaill multilog t s100000 n20 /var/log/qmail/qmail-smtpd 2>&1
 

 

In that case also add the 587 to the end of qmail-smtpd so the file content is like so:
 

exec setuidgid qmaill multilog t s100000 n20 /var/log/qmail/qmail-smtpd587 2>&1


All left so far is to link the new copied created supervise scripts to be processed by daemontools service auto-respawn service

 

 

 

cd /service/
ln -s /var/qmail/supervise/qmail-smtpd587

 

 

 

 

 

Now restart qmail with qmailctl script or whatever script you're using to make the qmail server processes reload:
 

 

qmailctl restart

Restarting qmail: * Stopping qmail-smtpdssl. * Stopping qmail-smtpd. * Sending qmail-send SIGTERM and restarting. * Restarting qmail-smtpd. * Restarting qmail-smtpdssl. * Restarting qmail-pop3d.

 


Now as we should have everything setup, last step is to check the TCP Port 587 listener on server is listening / accepting connections on the GNU / Linux server:

 

 

 

netstat -lptn|grep -i 587 tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN 9396/tcpserver

 


As you see everything looks fine we're listening on 587, it is generally a good idea to check also all the running services on the server including rest of Qmail listeners to make sure something else did not broke, so I recommend you issue once again:

 

 

 

 

netstat -lptn

….

 


It is recommended to also check the readproctitle daemontools process to make sure no any kind of errors are reporting while runing the supervise scripts, to do so run:

 

 

 

 

ps axu|grep -i readproc root 6029 0.0 0.0 3756 356 ? S Aug31 0:00 readproctitle service errors: …………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………………. root 6542 0.0 0.0 112404 920 pts/0 S+ 13:25 0:00 grep -i readproc

 


Above many dots indicate no errors were encountered while runing the supervise scripts and everything is okay, if you instead get some errors, you have to debug what is crashing and fix it, but hopefully you should have gone without any errors just like me. Even if there errors expect something minor like a typo in the just modified run scripts or some missing log path or something.

In the mean time if you happen to have a Qmail, Postfix or other mail server with errors you can't solve and need for help or system administration services on a cheaper price please hire me to manage it it.

That's all, Enjoy now using your Mail client of choice to connect to 587 with TLS.

 

 

Share this on

Download PDFDownload PDF

Tags: , , ,

One Response to “Howto configure Qmail Mail server to Listen on port 587 for SMTP with STARTTLS”

  1. admin says:
    Opera 33.0.1990.115 Opera 33.0.1990.115 GNU/Linux x64 GNU/Linux x64
    Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/46.0.2490.86 Safari/537.36 OPR/33.0.1990.115

    In case if you’re wondering why you might prefer port 587 with STARTTLS instead of port 465’s SSL encrypted connection an what is the difference between STARTTLS and SSL secured connection, here is a short explanation that sheds some light on it:

    “SSL and TLS both provide a way to encrypt a communication channel between two computers (e.g. your computer and our server). TLS is the successor to SSL and the terms SSL and TLS are used interchangeably unless you’re referring to a specific version of the protocol.

    STARTTLS is a way to take an existing insecure connection, and upgrade it to a secure connection using SSL/TLS. Note that despite having TLS in the name, STARTTLS doesn’t mean you have to use TLS, you can use SSL.”

    View CommentView Comment

Leave a Reply

CommentLuv badge